Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
856
Views
0
Helpful
4
Replies

Migrating from IOS to IOS-XE

vthbox
Beginner
Beginner

‎02-15-2022 04:00 AM

Hello,

 

I have configured zone based firewall & nat overload on C1121 IOS-XE router. Internet stops working when I apply access-list to restrict inbound traffic on WAN interface. It's mandatory to restrict access from outside on WAN interface. Appreciate any help.

--------------------------------------------------------------------------------------

config : 

!
interface GigabitEthernet1
ip address 1.1.1.1 255.255.255.0
ip nat inside
zone-member security IN
negotiation auto
no mop enabled
no mop sysid
end

CSR#sh run int Gi2
Building configuration...

Current configuration : 198 bytes
!
interface GigabitEthernet2
ip address 150.1.1.1 255.255.255.0
ip nat outside
ip access-group OUTSIDE-TO-INSIDE in
zone-member security OUT
negotiation auto
no mop enabled
no mop sysid
end
!
class-map type inspect match-all IN-OUT-CLASS
match access-group name IN-OUT-ACL
class-map type inspect match-any WEB-CLASS
match protocol http
!
policy-map type inspect WEB-POLICY
class type inspect WEB-CLASS
inspect
class class-default
policy-map type inspect IN-OUT-POLICY
class type inspect IN-OUT-CLASS
inspect
class class-default
!
zone-pair security IN-OUT-ZP source IN destination OUT
service-policy type inspect IN-OUT-POLICY
zone-pair security OUT-IN-ZP source OUT destination IN
service-policy type inspect WEB-POLICY
!
ip access-list extended OUTSIDE-TO-INSIDE
permit tcp any host 150.1.1.1 eq 443
permit udp any host 150.1.1.1 eq isakmp
permit udp any host 150.1.1.1 eq non500-isakmp
permit esp any host 150.1.1.1
!
ip access-list extended nating
permit ip 1.1.1.0 0.0.0.255 any
!
ip nat inside source route-map NAT interface GigabitEthernet2 overload
!
route-map NAT permit 5
match ip address nating
!

Cisco IOS/IOS-XE에서 Logging 설정 하기 NAT with VRF - IOS vs IOS-XE bad cli error - Cannot push service interface template on C1121-4P Cisco 3850: IOS-XE/Firmware Upgrade @Cisco Support Team 

0 Helpful
4 Replies 4

balaji.bandi
VIP
VIP

‎02-15-2022 04:06 AM

what was the IOS Code this was working, what is new IOS XE version you upgraded to ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

vthbox
Beginner
Beginner
In response to balaji.bandi

‎02-15-2022 04:59 AM

Hi Balaji, thanks a lot for responding. We have this configuration working
on "c800-universalk9-mz.SPA.155-3.M4a.bin". Planning to upgrade this router
to C1121 with IOS-XE 17.02.02.
0 Helpful

Kureli Sankar
Cisco Employee
Cisco Employee

‎02-15-2022 06:33 AM

Pls. do not combine ZBF with ACL.  Remove the ACL and let ZBF do its job.

 

-Kureli

0 Helpful

vthbox
Beginner
Beginner
In response to Kureli Sankar

‎02-15-2022 09:03 AM

Thank you Kureli, If I remove the ACL "OUTSIDE-TO-INSIDE" on WAN interface then how to restrict inbound packets without disturbing internet. I think ACL is blocking stateful inspection by ZBF which should not happen. Thanks a lot in advance.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents